SPAN to CPU On Nexus 9000 [Step by Step Configuration Example]

Introduction: What is SPAN to CPU

A SPAN-to-CPU packet capture allows network administrators to quickly and easily validate whether specific packets ingress and egress a Cisco Nexus 9000 Cloud Scale series switch.

Note: As a protection for the CPU from the replicated traffic via SPAN-to-CPU feature, Cisco Nexus 9000 series switches limit the rate of traffic replicated to the control plane through a SPAN-to-CPU monitor session to 50 kbps.

The Hardware Limiter of 50 kbps can be changed, for example, we will change it to 100 kbps:

N9K(config)# hardware rate-limiter span 100 
N9K(config)# end 
N9K# show hardware rate-limiter span 


Step-1: Configure SPAN-to-CPU Monitor Session

The following configuration will replicate traffic from the source interface Ethernet 1/3 in both direction and send it to the CPU interface sup-eth0

N9K(config)# monitor session 1 
N9K(config-monitor)# source interface Ethernet1/3 both
N9K(config-monitor)# destination interface sup-eth0 
N9K(config-monitor)# no shut

! verify session is up:
N9K# show monitor 
Session   State         Reason                   Description 
- - - - - - -   - - - - - - - - - - -   - - - - - - - - - - - - 
1         up            The  session  is  up 


Note: verify if you have an available monitor session available on the Switch, Cloud Scale ASIC that run NX-OS software support a maximum of four active SPAN or ERSPAN sessions per ASIC.


Step-2: Capture the replicated Packets received on the CPU Interface (Control plane)

To capture packets on the control plane, we will use Ethanalyzer, you can set filter exacly like Tshark:

N9K# ethanalyzer local interface inband mirror display-filter "ip.addr==10.10.0.112" limit-captured-frames 0

Add details at the end to see the whole datagram of the packet:

N9K# ethanalyzer local interface inband mirror display-filter "ip.addr==10.10.0.112" limit-captured-frames 0 detail


Step-3: Save the Capture and use Wireshark to read (Optional)

You can save the capture as pcap file and open it later with Sniffer Software, just add write to destination folder, it can be bootflash or usb for example:

N9K# ethanalyzer local interface inband mirror display-filter "ip.addr==10.10.0.112" limit-captured-frames 0 write bootflash:test.pcap  



Reference: https://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/215329-nexus-9000-cloud-scale-asic-nx-os-span-t.html

Bilel

Bilel

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
Learn Duty
0
Would love your thoughts, please comment.x
()
x